1. Hacked? If you mean it can be changed easily before passing it on to another service, then yes, it is easily manipulated. In such cases you could encrypt your data in the XML before sending it publicly, eg, in 32 or 64 bit, 0-9A-V, or A-Za-z0-9+/
2. This declaration tells processors what type of encoding your xml will be using. This is used to ensure that the processor interprets your data using the correct character set. For most applications, the encoding processing instruction does not make a big difference. Some people/applications use different encodings, which could otherwise cause confusion.